Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
-
submitted
02/02/2024, 12:56
General
-
Target
blur-installer.exe
-
Size
56.0MB
-
MD5
cc8d0921084401992c3f84cf6db0a9a5
-
SHA1
0f85447fa43ba0d77d60e857ed238f046347c4c5
-
SHA256
adeb24697fb2c829c513f1812aa5645717640599a5aeb964d45ec616e0ebd6b6
-
SHA512
dc662cfb40416553cad0738fe4c7407f3b04457f47bd766832a694f896e5834956eefe5bacce32022de33bca1a637e85f589479fe38b89b03ef259439753e644
-
SSDEEP
1572864:njXb31SEpfRrEE1sioTNq9ikYyjgL7c31nppNOnFMQi:njx1J7+ioyikY+gH41nppNlH
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\blur-installer.exe"C:\Users\Admin\AppData\Local\Temp\blur-installer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-KQ9NE.tmp\blur-installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-KQ9NE.tmp\blur-installer.tmp" /SL5="$701F0,57819947,879104,C:\Users\Admin\AppData\Local\Temp\blur-installer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-QQHG3.tmp\VC_redist.x86.exe"C:\Users\Admin\AppData\Local\Temp\is-QQHG3.tmp\VC_redist.x86.exe" /install /passive /norestart3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{2381BD94-3FFC-4449-8BF8-EB929F1BC4CB}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{2381BD94-3FFC-4449-8BF8-EB929F1BC4CB}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-QQHG3.tmp\VC_redist.x86.exe" -burn.filehandle.attached=512 -burn.filehandle.self=592 /install /passive /norestart4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Programs\blur\blur.exe"C:\Users\Admin\AppData\Local\Programs\blur\blur.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\GamePanel.exe"C:\Windows\System32\GamePanel.exe" 0000000000050302 /startuptips1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\bcastdvr.exe"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer1⤵
- Drops desktop.ini file(s)
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.0.1803282022\542066062" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7843df53-c2cc-49ae-ac5b-887a8cc276b3} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1764 1ed9e7c6158 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.1.1532880333\1948705008" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18f58535-55d9-4b6c-9860-52bc0d9eb302} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2120 1ed93772558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.2.859217442\1848183759" -childID 1 -isForBrowser -prefsHandle 2684 -prefMapHandle 2476 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd41d519-ea54-4fb6-bdf0-3d7e1375fa3c} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2648 1eda299a358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.3.1282875821\900084500" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf53f751-3dc1-4e4d-84af-7328cbcf5fd3} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3616 1eda0eed458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.4.1424246223\1165099986" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeedf832-70e8-457d-aab1-a3e56516e9fc} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 4256 1eda3fb5e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.7.1621718520\747355339" -childID 6 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d409d0c-8040-42c4-9b63-4b9467577dcf} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 5180 1eda52d2b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.6.2074958103\1846279875" -childID 5 -isForBrowser -prefsHandle 872 -prefMapHandle 4864 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {110cc69c-7032-49b7-b403-c10b1c9ee9de} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 5012 1eda52d2258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.5.173323477\1925078605" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4888 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88ac1f1c-ab78-4d33-b2d0-15dbd6bac7b8} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 4992 1eda2f2fd58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.8.488058256\1810307377" -childID 7 -isForBrowser -prefsHandle 5232 -prefMapHandle 5228 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65e51290-4830-4693-ad95-cb0c13721b5c} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2944 1eda0f37e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.9.316192920\141968595" -parentBuildID 20221007134813 -prefsHandle 4148 -prefMapHandle 4300 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55e7ef06-8115-4805-baea-1b68a34cd1b9} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 5688 1eda6813258 rdd3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD5732163c80bc6fdf469d3f259897e995e
SHA1e7ce9db8fe3b6cc9cd70e4654b4ded056b3afb00
SHA256a3170c8d4256f48a494870cad175c915452b8032f75af61fc56455459dd5ff7c
SHA512830ef46069d7aa005a61bf4e866dc23728c9771f948c3d185bc084d39906b9eb7edb2637e64a39458fab13abcfdc112b3655ce076d0643b2de601e870b40a96c
-
Filesize
397KB
MD5d470bb711f85eaec8050229432474943
SHA1932d7a1ef54792ad0917f60dac4785c460da1758
SHA2561a6a5f6b82f9e8978c8599a84961f1df5b926b2fc10897f2868d58554de06e58
SHA512d065d93795d2ae354a7bca94f99350136e1ee2db312643e2ea7652af8d467d1265947c67e83eadfb31a1b623af738e0b537ebd8e67d2c1a5401aea8eef103d70
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
1KB
MD5b0dac8ef6953fb835c7d633e6a427ba7
SHA1f521b39e0501e178412d557ac85d625626b85326
SHA256c79f44850e7b4cc4fe9134722d9576e4766f6061b06ee713a3a88a87f3b4b4cc
SHA512de5d2189075a26dc2e9ba41c1bbf2d4ccd3d5fb475802a0d7a70e311a301c4c4cb619d9f15c6263a420583b4f8bf87fcd589d6f96fe7b1edc367b875d54cfdda
-
Filesize
103KB
MD5449919a8dbc0882ab75fbeb012634dd7
SHA1c457948d731f7d414a0f06a75c348d4035b19c86
SHA256f5ddfb8a27580e38c964a5455704a51df94e3796723ba145ed8ac44734110e93
SHA5120d0d94e063d6c49c4e4fc8e1dd933e6a4acca48cd875d274543a134b849f0db2aa5f92826c0dc3f728817b9adf005947ca0f94c878ae139ac9d372518c43fb91
-
Filesize
741KB
MD5eb379f6fd094dbbcf0f0a39fe5b23fc2
SHA14ad6763f4f1b0038cca888636bf5e98a038ec56b
SHA25647da3a00e470ceaf568af9f7225e723a682f99813e8c10110a1bdc997c8232ef
SHA512a0538befcdd59916b0942379238d39cce3eb1ddef0143cbbe102bedeae9ebfdcf35584ff8db361032d3b98e7b7020685af4d629ec896ab6a483ab7e2e7053dc0
-
Filesize
3.1MB
MD54c1da6e07f377da9421c0bd4cc33ac72
SHA1d7b292b13008e485fdb69f44d7e4ed15fea9a221
SHA256dea7aef5837642ed3243e95ec640b6404f06a8fbe210a82ebdbc76859c57c3c8
SHA512555559c738e2db80405b1a486403f1c384d291dfc3b526290b9d50f5796f76bb6a8e85e1d99c5f9fa022b4c06994c20ceba55bf6eaa6d0b9e81f3893c4a14cef
-
Filesize
13.1MB
MD51fb0faba3d602afe03740db3d145c1e6
SHA12c1ae47103e7f8d6072df4a8d9ceb382724ac59b
SHA2561acd8d5ea1cdc3eb2eb4c87be3ab28722d0825c15449e5c9ceef95d897de52fa
SHA5124509cfbd5f08cc32d68855edc285e8ba8caa7d2c4d044e4256dd907b205fda9a689c32ad7ef9ff3955e8390ed67498a54039a3cd4bfc9102ed82f9bd1255011a
-
Filesize
2KB
MD5ea99aa79108ecd58ce29378e4f7145b6
SHA11fe7c80951bc5ae0c909e1273aa68cb4b1f4c9bb
SHA256b745620bf227a574e68a9fca9d2047fe2d5f2a9575cab88c494261e539b44875
SHA5124292815b1990414662203a7f1f4ec5d3c0d627708fd3eb45c64f8964df2080d3e910248d207cfb5bdd1704cae81b7413eabec5ddc8145ad37e6a9f4e9b760f35
-
Filesize
746B
MD5172c81478344ef290befcf6898cab840
SHA128ee914af1fc2ad859e38b728eb89cc98ef4a512
SHA256b09add4ab74cc8a762d8020970154dfd8ad744433e93d63fe8a841ea0ad98d43
SHA512f4036b10ec6321db68566671c96e56a70f635edf32d453e401d670026744c13b1d80eebd8d69724c1b80836dfd0d904a5ad9f758aba80302d8f454ab2177eda9
-
Filesize
11KB
MD5124fa0c436537770d4d6ec6c1eb9fc6d
SHA13059316cc8e84dc37b05b8563ca669d9ced2de88
SHA2567ef09c0eacd87096d392a7667fcf48580df9e378796d260c67c924ca3f035f4d
SHA5120b69fed39958b3ba075608b42f85c8ad172e7e933a6258929cb7e9b1b220db421c8207d3cc15cee553d297b744df69aab0777b36d707d8e0a15e2b3f3d96770d
-
Filesize
6KB
MD58e24fd6ce6083ec4edd037fe382de0f5
SHA16e21c3c567263154b58633fcb4676368a81ad342
SHA25674c06111105123a746c0e36125d47dc91f68abc684499cad114ca9d1da3a4c30
SHA51279308fcd3e9e752eaecd631f57e37c2d0bcda242b5ee6e8e43033c92cf1df72873a2c966787a1bf5e572d9de368fdc91727e4e50852061cd6fde8349dc1ef79c
-
Filesize
6KB
MD514d9f50e5013bd6bd86e8c6df80f58f3
SHA13fccd0e2b051439e3ed706f93e80ffa9fabec288
SHA2568cf7ec28e67bda8fd7eae0ed40b5800c0de9cd462b8c0ab4b429bb8745c1ff6c
SHA512b1a337930c1b2a92586cd8251c0b60b671972768f2d035133db000853de3101dadc182806d24f786d3c8bb8be6e287ec3d5eeef476e261041f0378c00a8b96c9
-
Filesize
4KB
MD5c10a86f4da837b8ac6a641353c3c6bd8
SHA1bddc4c4a1ddc85f2fd249168fbd2f86c7a679bb8
SHA256024e0b52eab483c0c39faf1759478408ad586e2794fa94b3743bb5c967d3b65f
SHA512722516fc79e26535ca0c2c0e2eac8e509d30b86224e725c99bb74d15e182c24b9a3c1f26ed4384bc9c76ffe446618cb9e3fcfc9e0ddae51ff14db9ae92c6bb70
-
Filesize
1KB
MD5104b66589c6b60264a5dee8955d61662
SHA14cb37974b78b241947316f465f92c30699e98ef8
SHA256cebf3b6b7d3d4e1efe46edf8cf0680d1a4714ed2d3a56e7605381323784b8b21
SHA512106dd1e016db38542328740aae58707636e4ce6f0f287a3bda1e69f74b1748aa723b72050446742aee54196b1d3de89761c5c35de46921d8e755ef8935dab67c
-
Filesize
6KB
MD546196aa90395be7d3bbb50976d2eb0dc
SHA15ff13e19b4dc1b2f40b0da2c8c000c3cca70e5c0
SHA25621cb449658c5363cf1027cc6531b6f61fcf48d6ba6852f353d74680859b9befc
SHA5120faf6cdc620f4bd663c3c5c3ca7322f5438fc1f680db0ee50b0cdfa3904a8c62d180988941594fdb7bca7b9a76ce9208ffe51338c8901c94483b691b28c5faf6
-
Filesize
184KB
MD59eb79b3d53e352ef92c5c86a1b24ff21
SHA15932783b9840865da29a071ba4811377f5bd7579
SHA25606969407bf1c51fb2bbba374b6b6c721223ab54503f2abccb5978e5154d57df5
SHA51205fd360b46862dd9817e87b966bcc91858ebb7773a5695b1bbf4647d3d8d72b8c75e20bdc97b8e82bb63cda1abf4c4d25422d72847f16e28630ba723dda46335
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
Filesize
632KB
MD51636039e4940c80acaeb369852f79cef
SHA17d2b5110d1bf729d7fcd9e42a2b01a58dcc66a69
SHA256d116ecd1f04402430eb8ff5e07357f7ab2a2e0aa12dd6c5156e7f92705568e0e
SHA5123ba5c3225b74594d6121a45f225204e8eb4b80afc60849fe78a933afcc81f8db7221cdcbe5789ade1b3f2d784dc3659c08692f7bd808b85198cb78e601d8da02
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4KB
